Chef Server startup notes

I worked with different provisioning tools and configuration managers in the
last couple of years: Chef, Saltstack, Puppet, Shell, Python, Terraform.
Everything that was allowing me to make automation and describe my
infrastructure as a code.

I really think that this is the correct street and every companies need to stop
to persist random commands in a server:

The code used to describe your infrastructure is reausable.

The code is a good backup and you can put it in your repository to study of
it changed and manage rollbacks.

Your servers become collaborative and your team can review what you do.

Chef is my first configuration manager, I started to use it with Vagrant few
years ago but I never had change to deep drive into it and into the full
chef-server configuration from scratch.

I had this change few days ago and I am here to share some notes. I used
digitalocean to start 1 Chef Server and two nodes, during this post I am not
focused about the recipe and cookbook syntax but I will share some commands and
notes that I took during my test to start and configure a Chef Server.

First of all doctl is the command line application provided by digitalocean
to manage droplets and everything, I used that tool to start my droplets.

The Chef Server doesn’t run in little box, we need 2gb RAM, I tried with small
size but nothing was working, the installation process gone out of memory very
soon. Thanks Ruby.

This provisioning script installs Chef-Server from the official deb package and
also install chef-manage. Chef-manage provides a nice web interface to manage
users, cookbooks and everything is stored into the server.

Our server is up an running reachable over HTTPS (port 443). This configuration
is just for testing purpose. It’s not a good practice leave a Chef Server public
as we are doing. It’s a better idea to close it under a VPN for example.

Chef supports an authentication and authorization level based on users and
companies. We are creating a new user called Gianluca Arbezzano with username
ga@thumpflow.com and as password hellociaobye.
We are also create an organization and we are associating user with org.

Chef-Server works with the concept of Organization and User. The organization
is a group of users that share cookbooks, rules and so on. Users can update
cookbooks and there is also a set of permission to manage access on particular
resources like:

Add a new node

Syncronize cookbook with the server

add new users

At this point we have one user with its own key and credential. You can come
back into the UI and use username (gianarb) and password (hellociaobye) to
login in. The key (–filename) is used to configure knife and encrypt
communication between client and server. There are 3 main actors and this
point that we need to know:

Chef-Server contains all our recipes, cookbooks and it’s the brain of the cluster.

Nodes are all servers configurated by Chef.

Workstation are usually enable to syncronize, update cookbooks. For example
Jenkins or your Continuous Integration System after every new commit can push
every changes into the server.

Chef Server has a HTTP api and knife is a CLI that provide an easy
integration for your node and workstation. With this command we are installing
knife. You can do it in your local environment, to become a workstation and into
the server. (it’s usually a god practice create a user, we are doing everything
as root right know but it’s BAD! don’t be bad!).

We have two certificate one is gianarb_test.pem and it’s identify a specific
user, we need to generate our for every workstation/member of the team and the
validation_client represent the organization, it could be the same across
multiple users.

curl -O-L http://www.opscode.com/chef/install.sh
bash ./install.sh

You can copy paste the 2 keys into the local machine and run this command that
will drive your into the process to create a ~/.chef/knife.rb file that your
cli uses to communicate with the chef server.

knife configure

This is an example of generated knife configuration file that I did in my
server. I lose times to understand the chef_server_url it contains the
hostname of the server but also the `/organization/'
be careful about this or knife will come back with an HTML response in your terminal.

The last 2 commands download and validate the SSH certificate because in the
default configuration the CA is unofficial and we need to force our client to
trust the cert.

knife ssl fetch
knife ssl check

Know that we did that in our server and also in our local environment we can
clone chef-pluto a repository that contains recipes, rules and cookbooks to
configure our node, we need to syncronize it into the server.

The last command update all our repository into the chef server. You can log in
into the web ui and see the micro cookbook and the power rule.

micro is an application that I wrote in go and it just expose the ip of the
machine. It’s a binary and the cookbook downloads and starts it, pretty
straightforward.

At this point we need to make a provisioning of our first node, usually is the
server that install and start the Chef Client into the node, what we can do
it’s store a private key into the server to allow chef to connect to the node.
I copied the digitalocean private key into the server (~/do), from security
point of view you can create a dedicate one. You can also use the -P option if
you are not using an ssh-key to run this example.

knife started the client, syncronized cookbooks, it assigned the power role
at the node and run the correct recipes. Your server is ready and you can
create and delete nodes to make your infrastructure complex how much you like.

Chef is quite old and it’s in ruby (the first one could be a plus but the
second one no really) but it continue to be a good way to make a provisioning o
your infrastructure. Lots of people moved to Ansible but the agent that they
reject offer a very good orchestration feature that it’s something that I
usually search.

I worked with StalStack and it’s very nice, the syntax is easy
and it seems less expensive in terms of configuration, resources and setup but
I am not really sure about the YAML specification. I am not a ruby developer
and I don’t love the ruby syntax but in the end is a programming languages and
I am doing infrastructure as a code.